[
https://issues.apache.org/jira/browse/CXF-2638?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Daniel Kulp reassigned CXF-2638:
--------------------------------
Assignee: Daniel Kulp
> WS-SecurityPolicy SignedElements, SignedParts, EncryptedParts,
> EncryptedElements, and ContentEncryptedElements assertions incorrectly
> verified
> ----------------------------------------------------------------------------------------------------------------------------------------------
>
> Key: CXF-2638
> URL: https://issues.apache.org/jira/browse/CXF-2638
> Project: CXF
> Issue Type: Bug
> Components: WS-* Components
> Affects Versions: 2.3
> Reporter: David Valeri
> Assignee: Daniel Kulp
> Attachments: cxf-2638.patch
>
>
> When security configuration is provided via WS-SecurityPolicy, the
> PolicyBasedWSS4JInInterceptor enforces the SignedElements assertion
> incorrectly. If there is more than one match to the assertion XPath, the
> validation code does not correctly detect the unsigned matches so long as any
> one of the matches is signed. This logic does not accurately reflect the case
> in which multiple matches for the signature coverage XPath exist in the
> message and may provide a false sense of integrity in the message.
> Per section 1.2 of the WS-Security spec:
> The XPath expression "identifies the nodes to be integrity protected."
> Based on this language, it seems as if all nodes matching the XPath
> expression must be integrity constrained.
> Similar issues exist with the SignedParts, EncryptedParts, EncryptedElements,
> and ContentEncryptedElements assertions as well.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
